People,

Let's not start a flame war here.
Andre Boucher replied to me that it may be a good idea to change
the "public" string anyway and I tend to agree with this.
However, it is not enough and the approach using access lists is
certainly more secure as it needs more skil to break it.

General precautions:

1) Only enable what you need enabled, have the rest disabled.
   This is *also* true for snmp
2) Do not rely on secrets to protect your environment. Do not "hide"
   your key in the flower pot next to the door or similar.
3) Use multiple ways to secure your environment.

On the reply from Rick I have to object strongly as his comparison
is just the opposite from what he should have made:

> This sounds a little bit like:
> 
> I disagree with this.  If safety is an issue, you should not rely on door
> locks which can easily be broken down by a determined house robber.
> 
Compare the community string with a number-pad lock type that is
preconfigured with a known "password". If you change it but anybody
can look over your shoulder, there in. Period. For networking this
can be done using tcpdump or similar tools. Once it is seen on the
network, they can use it and in they are. However, if you have an
access list protecting the entry then:

> Just have your nosey neighbor watch the front door and tell everyone to go
> away.
> 
No, you have a doorman -inside the building- that only opens the door to
known people. The nosey neighbor is the one mentioned above and is the
one stealing your password. The neighbor is not allowed access through
your door if he's screened by the man inside. He would need to masquerade
as you to get in and if not, he's known to be one of the bad guys.

A script kiddy can scan your community string on a bad designed network.
It needs a bit more skill to work around the access list, and you would
need to scan the network anyways to fetch the results so the community
string will be known anyway.

> Rick Horowitz                          Cisco Certified Network Associate
> Network Administrator                   Microsoft Certified Professional

Wow, I'm very impressed.

Alex

--
* To unsubscribe from the mrtg mailing list, send a message with the
  subject: unsubscribe to mrtg-request@list.ee.ethz.ch
* The mailing list archive is at http://www.ee.ethz.ch/~slist/mrtg